Abstract: Shared data access maximizes resource utilization on the Internet but raises the issue of data security. We consider a method of shared data access control whereby the data is sub-divided into categories and each encrypted with a unique cryptographic key that is distributed to the user group requiring access. Key management can be simplified by classifying every user into exactly one of a number of disjoint groups that are partially ordered such that lower level keys are mathematically derivable from higher level keys, but not the reverse. The drawback in this approach is that changes in group membership imply updating both the affected group key and those that are derivable from it. Moreover, the data encrypted with the affected keys must be re-encrypted with the new keys to preserve data security. In the worst case, when the affected group is at the highest level of the hierarchy, the entire hierarchy is affected. This paper presents an algorithm that minimizes the cost of key replacement (rekeying) by associating a timestamp to each key. The timestamp and key are used to compute a verification signature that is used to authenticate users before data access is granted. Thus, whenever group membership changes, instead of rekeying and re-encrypting the affected data, only the timestamp is updated and a new verification signature computed. The new scheme is analyzed using both a time complexity and experimental analysis.
Keywords: Cryptography, access control, data sharing, group communication, authentication
